0

We have an ASP.NET Core MVC application and want to migrate from on-premise Active Directory to Microsoft Entra ID. Authentication works without any issues, but Authorization does not.

Currently, we use [Authorize(Roles = "GroupX")] or HttpContext.User.IsInRole("GroupX") to check if a user is in a certain group. These groups are security groups in Entra ID.

I replaced

builder.Services 
       .AddAuthentication(IISDefaults.AuthenticationScheme)

with

builder.Services
       .AddAuthentication(OpenIdConnectDefaults.AuthenticationScheme)
       .AddMicrosoftIdentityWebApp(builder.Configuration)

But the user gets redirected to /Account/AccessDenied even when they are assigned to the group.

I also noticed that HttpContext.User.Claims is missing all the roles/groups.

Improve this question
6
  • 1
    Please share your error message.What is the version of your App? Commented Jan 20 at 10:16
  • Don't think it's as simple as a one-line change. learn.microsoft.com/en-us/aspnet/core/security/authentication/… Commented Jan 20 at 10:33
  • @Harshitha There is no error message. As I wrote, the user gets redirected to /Account/AccessDenied as if they were not in the group. We use .NET 8.0. Commented Jan 20 at 10:53
  • Please share your configuration. Commented Jan 20 at 11:06
  • What does your Manifest => GroupMembershipClaims has ? Image. Assign security group to it and check once. Commented Jan 20 at 11:40

1 Answer 1

Reset to default
0

I discovered these Examples which helped a lot.

We solved our issue by using App Roles and combining them with security groups in Microsoft Entra.

Then, in our Program.cs we replaced

builder.Services 
       .AddAuthentication(IISDefaults.AuthenticationScheme)

with

JwtSecurityTokenHandler.DefaultMapInboundClaims = false;

builder.Services
    .AddAuthentication(OpenIdConnectDefaults.AuthenticationScheme)
    .AddMicrosoftIdentityWebApp(builder.Configuration);

builder.Services.Configure<OpenIdConnectOptions>(OpenIdConnectDefaults.AuthenticationScheme, options =>
{
    options.TokenValidationParameters.RoleClaimType = "roles";
});
Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.